LinuxSA Mailing list archives
Index:
[thread]
[date]
[subject]
[author]
[stats]
From: David Creed <dave.and.jen@internode.on.net>
To : LinuxSA <linuxsa@linuxsa.org.au>
Date: Wed, 03 Dec 2003 17:56:57 +1030
Unusual entry in Snort log
Hi guys and gals, got a query I hope you can give me some direction on.
I installed snort a couple of weeks ago and came home today to find this
log (attached below) with unusual entries.
I don't like the sound of port scans coming FROM my machine, have I been
"0wn3d"?
Advise and opinions gratefully accepted.
Cheers,
David Creed
-----Forwarded Message-----
Events between 12 02 18:47:06 and 12 02 22:04:50
Total events: 27
Signatures recorded: 21
Source IP recorded: 2
Destination IP recorded: 22
Events from same host to same destination using same method
=========================�=========================�=======================
# of from to method
=========================�=========================�=======================
2 192.168.1.252 216.73.87.13 (spp portscan2) Portscan detected �from 192.168.1.252: 6 targets 6 ports in 3 seconds
Percentage and number of events from a host to a destination
=========================�=========================�==========
% # of from to
=========================�=========================�==========
11.11 3 192.168.1.252 192.231.203.130
7.41 2 192.168.1.252 216.73.87.13
7.41 2 192.168.1.252 66.35.250.124
7.41 2 192.168.1.252 213.150.41.226
Percentage and number of events from one host to any with same method
=========================�=========================�============
% # of from method
=========================�=========================�============
11.11 3 192.168.1.252 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 3 seconds
7.41 2 192.168.1.252 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 0 seconds
7.41 2 192.168.1.252 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 8 seconds
7.41 2 192.168.1.252 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 2 seconds
7.41 2 192.168.1.252 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 39 seconds
Percentage and number of events to one certain host
=========================�=========================�===============
% # of to method
=========================�=========================�===============
7.41 2 216.73.87.13 (spp portscan2) Portscan detected from 192.16�8.1.252: 6 targets 6 ports in 3 seconds
The distribution of event methods
=========================�======================
% # of method
=========================�======================
11.11 3 (spp portscan2) Portscan detected from 192.168.1.252
7.41 2 (spp portscan2) Portscan detected from 192.168.1.252
7.41 2 (spp portscan2) Portscan detected from 192.168.1.252
7.41 2 (spp portscan2) Portscan detected from 192.168.1.252
7.41 2 (spp portscan2) Portscan detected from 192.168.1.252
signature.asc
--
LinuxSA WWW: http://www.linuxsa.org.au/ IRC: #linuxsa on irc.freenode.net
To unsubscribe from the LinuxSA list:
mail linuxsa-request@linuxsa.org.au with "unsubscribe" as the subject
Index:
[thread]
[date]
[subject]
[author]
[stats]
Return to the LinuxSA Mailing List Information Page